In our IT Security class we have been told that you need CA's to prevent attacks on a digital signature. Sadly, our docent didn't elaborate how such attack would be performed - I can only guess that someone would try to do a MitM:

Alice wants to authenticate towards Bob, so she writes him a message and signs that with her private key. She also appends her public key.

Eve intercepts the message and verifies the message with Alice's public key, then signs the message with her own private key and forwards it to Bob, appending her own public key instead of Alice's.

Bob receives the message assuming it's from Alice, verifying it with the appended public key (from Eve) and is now sure to communicate with Alice.

So if Bob would just have looked up Alice's public key at some CA, he would have known that the appended key was wrong.

Is that the scenario people are generally referencing to when it comes to why you need CAs?

Alice doesn't encrypt the message with her private key. She encrypts it using Bob's public key, or sign it using her private key.
– YurikoMar 3 '16 at 13:38

1

A good comment. It's important to keep those terms separated.
– AdHominemMar 3 '16 at 13:47

In fact doesn't Alice create a symmetric encryption key, use that the encrypt the plaintext quickly then use her private key to encrypt a hash of the plaintext (i.e. sign it) then use Bob's public key to encrypt the symmetric key and send bob some container of that bunch of stuff. Asymmetric (AKA public-key) crypto is usually considered too slow for bulk encryption directly.
– RedGrittyBrickMar 3 '16 at 19:22

2 Answers
2

A digital signature, like all cryptographic algorithm, does not solve problems, it just moves them around.

Take care that signatures are NOT encryption. If someone tried to explain signatures as a kind of encryption, then go find them and hit them in the teeth with a wrench, repeatedly. Tell them that they are unworthy, and I am disappointed with them. This flawed explanation does not work, never worked, and spreads only confusion.

In a signature system, there is a message m, a public key kp, a private key ks, and a signature s. The signature generation algorithm computes s from m and ks. The signature verification algorithm takes m, s and kp, and returns either "true" or "false". When it returns "true", what this means is that whoever owns the public key (i.e. knows the corresponding private key) was involved in the generation of signature s on the specific message m.

The important point is in the key ownership: the signature verification algorithm does not tell you "yep, this is signed by Bob"; it only tells you "yep, this is signed by whoever owns that public key". This guarantees that the signer is really Bob only if you have a way to make sure that the public key you see is really Bob's public key. If Bob simply sent his public key along with the signed message, it would be easy to impersonate Bob by simply saying "hello, I am Bob, here is my public key, and here is my signed message". It would prove nothing at all. The attack here is simple, it is called "lying".

While signatures are useful (indeed, they reduced the problem of verifying the provenance of several messages to the problem of associated a single public key with its owner), they don't magically guarantee ownership out of thin air. This is where Certification Authorities come into play. The CA is an organism whose job is to make sure that Bob really owns his alleged public key; presumably, the CA does that by meeting Bob in person, or some other mechanism of that kind. When the CA has duly verified Bob's ownership of his key, the CA puts Bob's identity (his name) and his public key in a certificate. The CA then signs the certificate.

Alice's machine can then verify the signature on the certificate, thereby making sure that the certificate contents are really from the expected CA. At which point Alice has some guarantee about the fact that the public key she sees in the certificate is really Bob's key, and she can use it to verify signatures which have purportedly been computed by Bob.

At this point you should say: "But how can Alice verify the signature on the certificate by the CA ? She would have to know the CA public key !" And, indeed, the problem has again been moved, to the question of CA key ownership. We can move it yet another time, with another CA. And so on. But it must stop somewhere. That "somewhere" is the root CA. A root CA is a CA whose pubic key you already know, absolutely. That's the magic part. In practice, your computer comes with an operating system that already includes the public key of a hundred or so of root CA, who made a deal with Microsoft to the effect that their public keys are inherently known (and trusted) by all Windows systems.

I find saying "who owns the public key" misleading. I was about to correct you when you wrote "yep, this is signed by whoever owns that public key", but had a second glance at your post. Wouldn't key pair be better?
– YurikoMar 3 '16 at 14:07

Public and private key are mathematically linked together; this is what the expression "key pair" means. The owner of the public key is who knows the private key. From the outside, you see only the public key; you do not care how Bob really manages to produce signature, only that he is the only one who can make signatures that match his public key.
– Tom LeekMar 3 '16 at 14:12

I understood what you were saying, I just wanted to stress out that the terms who owns the public key can be misleading for someone that doesn't clearly understand the concepts (or someone not fluent in English, or someone tired, etc.), as he may understand owns as has. Everybody can have that public key. It wasn't about the technical terminology at all - your answer is perfectly great. :-)
– YurikoMar 3 '16 at 14:29

2

The attack here is simple, it is called "lying". I actually loled there, thank you.
– HopelessN00bMar 3 '16 at 20:45

A certificate authority provides a third party assurance that a public key belongs to a given entity by essentially saying "I have looked at this public key, and this entity, and I am stating that they are linked, and since I am a trusted entity, you can believe me". They do this by signing the key with their own private key, which you can verify if you have their public key.

This is all well and good, but doesn't actually prevent a MitM attack - if Bob doesn't verify the signature, or the CA doesn't actually verify that Alice owns the key, or if Eve is able to convince the CA that her name is Alice, so her key appears to be valid, or if Eve operates a trusted CA, Bob still doesn't know that the message was signed by Alice. CAs know this, so, in general, try to be good citizens and actually perform the checks they claim to do.

What would prevent a MitM attack then? Well, if Alice and Bob have another communication channel that they trust (maybe they actually meet up, examine each other's passports, and otherwise prove their identities to one another), then swap public keys, they can send messages safely in the future, since Bob knows with certainty that he has Alice's correct public key, and Alice knows the same about Bob. Eve can try and swap the content if she likes, but without the private key to sign the modified message, the recipient will know that something isn't right. In this case, you don't need a CA at all - you have direct trust.